Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-11-25 05:41:12 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1737198 - Part 7: Update source docs to mention strict fallback mode. r=necko-reviewers,valentin

Browse Source 
Differential Revision: https://phabricator.services.mozilla.com/D132115
This commit is contained in:
Nihanth Subramanya 2021-12-02 13:21:55 +00:00
parent bdcc5aef9e
commit e35125acf0
1 changed files with 15 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
netwerk/docs/dns/dns-over-https-trr.rst
View File

@ -18,17 +18,29 @@ that normally listens on port 53.
DoH Rollout
-----------
**DoH Rollout** refers to the webextension code that decides whether TRR will
**DoH Rollout** refers to the frontend code that decides whether TRR will
be enabled automatically for users in the `rollout population <https://support.mozilla.org/kb/firefox-dns-over-https#w_about-the-us-rollout-of-dns-over-https>`_.
The functioning of this module is described `here <https://wiki.mozilla.org/Security/DNS_Over_HTTPS>`_.
The code lives in `browser/components/doh <https://searchfox.org/mozilla-central/source/browser/components/doh>`_.
Implementation
--------------
When enabled TRR may work in two modes, TRR-first (2) and TRR-only (3). These are controlled by the **network.trr.mode** or **doh-rollout.mode** prefs.
The difference is that when a DoH request fails in TRR-first mode, we then fallback to **Do53**.
For TRR-first mode, we have a strict-fallback setting which can be enabled by setting network.trr.strict_native_fallback to true.
With this, while we will still completely skip TRR for certain requests (like captive portal detection, bootstrapping the TRR provider, etc.)
we will only fall back after a TRR failure to **Do53** for three possible reasons:
1. We detected, via Confirmation, that TRR is currently out of service on the network. This could mean the provider is down or blocked.
2. The address successfully resolved via TRR could not be connected to.
3. TRR result is NXDOMAIN.
In other cases, instead of falling back, we will trigger a fresh Confirmation (which will start us on a fresh connection to the provider) and
retry the lookup with TRR again. We only retry once.
DNS name resolutions are performed in nsHostResolver::ResolveHost. If a cached response for the request could not be found, nsHostResolver::NameLookup will trigger either
a DoH or a Do53 request. First it checks the effective TRR mode of the request
is as requests could have a different mode from the global one.
@ -72,6 +84,8 @@ The confirmation state has one of the following values:
The state machine for the confirmation is defined in the `HandleConfirmationEvent` method in `TRRService.cpp`.
If strict fallback mode is enabled, Confirmation will set a flag to refresh our connection to the provider.
Excluded domains
----------------